An old-school solution to identity theft
Brendan McDermid/Reuters/File
Washington
The calls started coming immediately following the 2017 Equifax data breach. Roughly half of Americans’ Social Security numbers had been compromised, and the Trump administration, congressional staff, and members of the banking and health-care industry all had one question.
“They wanted to know ‘what do we do now?’ ” says Jeremy Grant, a former senior executive adviser for the National Strategy for Trusted Identities in Cyberspace during the Obama administration.
At the time, Congress was considering a series of bills related to the use of Social Security numbers, while the Trump administration was floating the idea of replacing SSNs with another form of nonnumerical identification – possibly a biometric identification or a unique fact about an individual.
Why We Wrote This
The digital age has opened doors for consumers – and identity thieves. A group of financial security experts wants to empower users to guard their identity by honing an existing tool: the Social Security number.
Mr. Grant believed in a different and simpler answer, one that has gained attention as a possible solution. Rather than create a new single authenticator that would be costly to develop and difficult to implement – especially for vulnerable populations who often mistrust the government – Grant worked with a coalition of industry and government leaders to re-envision the question of personal identification in the digital age.
And he’s not the only who sees enduring relevance for SSNs.
“Because SSNs are unique, persistent, and ubiquitous, they are a good way to match people,” such as for a bank to tell the John Smith with good credit from the John Smith with bad credit, says Steven M. Bellovin, professor of computer science at Columbia University in New York City, who helped produce two National Academies reports on the difficulties of creating a national identity system. If SSNs were replaced, Bellovin says it would throw commerce into chaos.
The Better Identity Coalition, an industry group spearheaded by Grant, is focused on rethinking the SSN’s role for the age of hackers and massive data breaches. The group’s basic idea: The pragmatic solution will be a system that relies on multiple points of individual data rather than a single authenticator, whether it’s an SSN or some new digital or biometric token.
‘An old-fashioned idea’
It remains to be seen if Grant and his coalition will carry the day in the debate over digital identity. But they have gained an audience in Washington.
And in a sense their vision is stepping back toward the SSN’s original purpose. From its inception, the intent of the SSN was to be an identifier and to know which “John Doe” the Social Security Administration (SSA) should associate wage and tax data with. But over time public and private entities such as the state motor vehicle departments and health insurance companies have come to rely on the SSN for a different purpose: as an authenticator to verify that someone is who the person claims to be.
The problem with using an SSN as an authenticator is it assumes SSNs are a closely held secret when in truth they are no longer secure, Grant says. In fact, nearly 179 million records containing personal information were exposed in 2017 data breaches, according to the Better Identity Coalition.
“The idea that your SSN is a secret and could be kept a secret is an old-fashioned idea,” Grant says. “The last four digits [of your SNN] don’t offer security, but it can be used as an identifier.”
The Better Identity Coalition is proposing that government agencies, such as motor vehicle departments or the SSA, confirm an individual’s identity – at the individual’s request. For instance, an individual attempting to open a bank account could ask the SSA to validate whether there really is an individual with his or her name, SSN, and date of birth. The SSA would only need to respond yes or no, not provide any additional personal data, Grant says. Simultaneously, the individual could ask the department of motor vehicles to validate that a person with this name, address, date of birth, and driver’s license number exists.
Maintaining multiple avenues for identity verification by different government agencies using a distinct piece of data would help to minimize cybersecurity risks, say members of the coalition, which includes representatives ranging from the banking, medical, and computer-security industries, among others.
“Minimize” is a key word. In the coalition’s view, the realistic goal is not so much to have a flawless identifier as one that works with a high level of confidence and is hard for cheaters to exploit.
Such a system could also help consumers feel an element of autonomy in an often-daunting digital world. Consumer oversight of verifications is key, says Donna Beatty, part of the coalition and head of global product management at JP Morgan Chase.
“Consumers have to have control over the information – how they use it and which service providers will confirm which pieces of your identity,” Ms. Beatty said at recent cybersecurity policy forum in Washington sponsored by the Better Identity Coalition, the National CyberSecurity Alliance, and The FIDO (Fast Identity Online) Alliance.
An SSN for the 21st Century?
If a modernized SSN system may hold promise, some experts question how the government will implement these changes.
“There will need to be procedures in place to make sure it’s not just a one-stop shop for people who want to verify stolen information to know that they actually have a legitimate commodity in their hands,” says Jamie Court, president of the nonprofit group Consumer Watchdog in Los Angeles. “Once you authorize this type of identity verification, security experts will need to think through how it might be used for ill and what types of check and balances there need to be.”
For instance, he suggests there might need to be a limited number of accredited people who can access the information as well as a way to verify the verifier. A better option might be for the government to make it easier for the SSA to reissue an SSN when someone’s identity has been stolen, says Mr. Court, who advocates for consumer rights related to privacy and technology.
Meanwhile, advocates for the poor and homeless warn that proving identity is tricky for anyone without a permanent address or a driver’s license.
“Not everyone has a driver license, and not everyone has the ability to obtain a driver’s license or other form of ID,” says Maria Foscarinis, executive director for the National Law Center on Homelessness & Poverty in Washington.
There has to be a way to prove identity that isn’t dependent on someone having money to pay for a copy of their birth certificate or an address to prove their identity, she says. Birth certificates, which are needed to get an ID, are often stolen by others or confiscated by police when homeless people are living in a shelter or public place, she says.
However, most people do have an SSN, she says, and it would be helpful to be able to ask the SSA to validate that there is an individual with this name, SSN, and date of birth, particularly if that validation could be used when someone is applying for housing, a public benefit, or even a job.
“But [homeless people] would have to know this resource is available, how to gain access to it, and it would have to not cost anything,” she says.
Bringing identification online
Grant says that at the heart of what the coalition is trying to achieve is giving consumers the right to ask a government entity to help prove who they are.
Yet some privacy experts question whether making it more convenient, less expensive, and more reliable to prove someone’s identity online will have negative consequences for consumers.
If it becomes easy and straightforward to officially prove someone’s legal identity online, it might become tempting for regulators to expand the requirements for businesses collecting, using, and retaining SSNs, making it easier to track individuals online, says Seth Schoen, senior staff technologist for the Electronic Frontier Foundation, a San Francisco-based nonprofit focused on defending digital privacy, free speech, and innovation.
People who might not want to be tracked online could find that they’re forced to be identified by their online purchases and online activities, he says. These changes also have the potential to impact free speech, Schoen says. In China, for instance, residents are legally required to identify themselves when they comment online, and this often restricts what people are willing to say.
The idea of giving consumers the right to ask a government entity to help prove their identity is also on government’s radar. In July, the Treasury Department released a fintech report that echoes what the Better Identity Coalition is recommending in its white paper. The Treasury report calls for enhancing public-private partnerships on digital legal identity products and services. Treasury also wants to improve consumers’ access to their financial data.
Agencies have the authority to make many of the changes being advocated by the Better Identity Coalition, Grant says.
He is hopeful the changes the coalition is proposing will ultimately help all individuals to do more online with greater privacy and convenience.
“One of the issues is that most businesses do business digitally, but we are locked into paper IDs,” he says.
Grant points to his experience applying for a home equity loan online. He filled out the online forms and, at the end of process, was told to go to the nearest bank branch to finish applying for his loan.
“Why can’t I log into the DMV site securely and ask them to validate my identity so I can get that loan?” Grant asks. “We’re not set up for citizens to ask the government to play this role.”